WASHINGTON: The Navy is making cyber investigations automatic after any mishap, starting with the at-sea collision that killed 10 sailors aboard the USS McCain. They don’t expect to find any evidence of a cyber attack this time, admirals emphasize, but they’re using the McCain as a test case.

If there was a cyber attack, however, it’s quite possible that there’s no evidence aboard the McCain to find. It would have been much easier for an adversary to hack the merchant ship involved in the accident, the Alnic MC, causing it to turn unexpectedly across the destroyer’s path. That’s the hypothesis — admittedly speculation — of a Navy IT expert we’ve featured previously in these pages, recently retired Capt. John Zimmerman. He commanded the submarine USS Jefferson City, served as deputy chief information officer at Navy Sea Systems Command, and now is vice-president at contractor SubSystems.

The USS McCain (DDG 56) before the collision.

“I am certain that the Navy will do an excellent assessment of any possible cyber attack of the McCain – and it should be reiterated, that the Navy has said they have no indications that a cyber attack occurred,” Zimmerman told me. “However, if an adversary wanted to perform this attack, the easier vector of approach would be to attack the merchant ship involved instead of the warship.”

“The merchant ship will have common commercial radar equipment that will be easier to hack, and the bridges of the merchant ships are quite often only manned by one watchstander in the middle of the night,” Zimmerman explained. “So, if you hack the merchant’s radar so it provides no warning to the watchstander or the ship’s autopilot, you now have a 50,000 ton ballistic missile traveling at 15 knots.”

“The benefit of this approach is it is less likely to be discovered than someone directly attempting to hack a warship,” Zimmerman said. “Granted any well-trained crew of a US warship will be able to take evasive action in this case and maneuver to keep themselves safe. However, if the crew isn’t well trained, or alert at their watchstations, then sometimes in these situations they freeze up and don’t take the correct actions.”

Vice Adm. Jan Tighe

A New Kind of Investigation

That said, there are “no indications or reason to believe there was a cyber attack” against either the McCain or the USS Fitzgerald, which lost seven sailors to an collision in July, the Navy staff’s chief cyber expert said this morning. But, said Vice Adm. Jan Tighe, deputy Chief of Naval Operations for information warfare, after two such similar and unlikely accidents in short succession, speculation about a cyber attack was so rife that the Navy needed to address it.

How long, Tighe was asked at the Center for Security & International Studies this morning, will the McCain investigation take? Since it’s the first of its kind, she said, it’s hard to say, but “it could be weeks, it could be months.” It’s so unprecedented, in fact, that there’s no comparable investigation into the Fitzgerald collision. But Tighe emphasized that if the Navy does decide to investigate both ships, “we have all the data from Fitzgerald.”

The Navy is trying to build a template for the future. “This is the first time we’ve done this,” the Vice-Chief of Naval Operations, Vice Adm. Bill Moran, told the House Armed Services Committee last week. “It’s the first time we’ve sent a team from our cyber commander here in Washington…10th Fleet… to pull as much data from that ship as possible.”

“This is to try to institutionalize doing cyber as part of any mishap,” Moran said, whether it involves surface ships, submarines, or aircraft. The Navy has a well-established procedure for so-called “dual-purpose investigations” that look at both the legal and safety aspects of any accident. In the past, though, these teams didn’t look at whether a cyber attack contributed to an accident, either maliciously or inadvertently. (Unauthorized software on a system can cause malfunctions even if that wasn’t its intent). With Navy craft becoming ever more dependent on advanced electronics, cyber will now be a standard component of every such investigation.

Adm. William Moran, Vice Chief of Naval Operations

The investigative team now in Singapore, where McCain is under repair, consists of two types of experts. 10th Fleet, aka Navy Cyber Command, handles day-to-day defense of Navy networks and is providing expert cyber defenders – as well as cyber offense specialists who are using their knowledge of how to take a system down to see if something similar was done to McCain. Navy Sea Systems Command (NAVSEA) and Space & Naval Warfare Systems Command (SPAWAR) are providing experts on how the ships’ systems are supposed to work, so it’s easier to find anomalies.

The Navy is building up cyber expertise at its systems commands, which develop, build, and sustain its equipment, Tighe said. Traditionally the SYSCOMs focus on hardware, and their staff are mechanical, electronic, or aeronautical engineers. But increasingly hardware depends on software to function, and that software is increasingly connected to the wider world, whether it’s a constant network connection or a sailor plugging in diagnostic equipment once a quarter. The people who work on the hardware need to be acutely aware of what can go wrong with the software. That education is still a work in progress, Tighe said, as is figuring out what authorities cyber investigators need.

Here and now, there’s no evidence that anyone actually hacked the McCain. “Just about every three-letter agency in Washington DC” has looked for evidence of a cyber attack and found none, Vice Adm. Moran said, referring to intelligence agencies. But one day, in one incident, that will be different – and the Navy needs to be ready.